New 2 Cracking ~~~~~~~~~~~~~~ Tutroial Type : Essay Tutorial Topic : How To Turn a Program into its own keygen (Keygen Injection over Strings) Utilites : Debugger (what ever you like..)/W32Dasm/Hex Editor/Digi-Watcher 1.32 Music : Silence, any Version will do (even if its real silence ;]) Written by : ParaBytes Date : Nov. 23rd, 2001 Remarks : Digi-Watcher is avilible in www.Digi-Watcher.com Intro : \_______/ Well, i wanted to make a keygen on nag patching, so i took this program, i remeber that when i cracked Watcher 1.1 (i was the 1st :)) i did a patch that came over all the routines, nags-serial-limit so, i downloaded this version and started the cracking, well... i couldnt find this thing so i said, hey, lets keygen it or something.. but i got better idea ! keygen injection... lets make clear what keygen injection is, k.i. (its shorter, i'll use it in the rest k.i. = keygen injection) is making a program the keygen of its self, so when insert a bad reg code, you'll get the real code instead of 'regiter code is bad' error... Start Here (if you read the intro before...) ~~~~~~~~~~ Lets wave ;p well, this is the start.. lets run the exe as start... hmmm, nag screen ? machine ID ?? oh my ! lets insert some code, like 'ParaBytes0wnzDigiWatcher4Life' and click register, hmmm, error message, write it down. close the program... (you have 1 error for short serial, one for bad serial, we will disscuss on it later) lets run this exe file into w32dasm, lets look in the String References for our message, hey, i see "Thank you!", well, if they knew me, they wouldnt thanking me so much, but they dont... lets click on it and get the place of that string, wow, under this string we see a whole thanks for registring message, we are in the right place... lets go up, hmmm, conditional jump from offset close, scroll up toward this offset, hmmm register code is wrong ? ok, we are really in the right place... so, we see above the coditional jump (004245F6 - the jump offset) reference to strncmp, well, Str is string, Cmp is compare, that mean that we are dealing with comparing string event, and right after we get the error message ?? hmm, (m*c^2=E ;p) that mean we found a place where the serials are probably getting compared. load this file into your favorate debugger (SoftICE/W32Dasm/OllyDbger/TRW2000/Etc...) and set bpx in the offset that before the call (004245E6) run the file, enter the serial you want (fake one..) and register (now, if you breaked, follow to the next step - understanding, if not, continue) hmmm... Re-Enter my code ?? | no break ?? | well, its must be because we entered a serial that doesnt stand the conditions, | it might be only hex digits, or only numbers, we dont know, | lets seek for the Re-Enter string in w32dasm and what do we find ? just above this | string ? cmp ecx,1B --> jnb checkserials | that mean that it should be longer then 26 chars... lets remember this for now | re-enter 27 chars code, and now, its breaking ! \|/ Understanding the part of the K.I. ---------------------------------- what the program is doing is : push serial1 <-- set the 1st (usually the good) into stack push serial2 <-- set the 2nd (usually our fake) into stack Call StrCmp <-- call the function (there are lots of StrCmp's) test al,al <-- if they are equal, al=0 je goodBoy <-- if zero, good boy ! and the message is messagebox, its works like that : push buttons <-- set the buttons (0 is just OK box) push caption <-- set messagebox caption push text <-- set the text inside the messagebox call MessageBoxA <-- the call so, what we should do is somehow, when you have the badboy message, replace the message text with the serial location and re-edit the caption to something like : 'This is your real key :' and so the badboy message will look like this : push 0 <-- set the OK button push Caption <-- set our changed caption push serial1 <-- push the real serial Call MessageBoxA <-- execute the message ok... lets get patching... open the hex editor, goto the string check location and copy the code of push serial1 in our code its : push 00490720 so, lets copy the code (6820074900) and goto the push text in our code its : push 00442660 replace the push text with push serial, now seek the Caption ( "Regitsration Error" ) and change it to what you like (i did to "This is your real key :") and MAKE SURE YOU USE THE SAME NUMBERS OF LETTERS, IF YOU USE LESS, FILL WITH SPACES, IF YOU USE MORE THE PROGRAM WILL CRASH. and save, run, press register, and ? ohh damn ! the check for the length, write this error, re-open in w32dasm, look for this string, right above we see the jnb goodLenght lets change it to jmp, so, open the hex editor, goto this code location, you'll see 7316 - 73 means jnb, change it to EB16 and it will be jmp. save, run, tada ! Ending : +--------+ We learnt today that k.i. over strcmp is not hard, atleast with this basic program :) we need to push and edit, that all :)) Greetingz : ~~~~~~~~~~~ tKC, your tutorial of k.i. on delphi made me realise how easy this whole k.i. thing is Invoker, thanks for being such a good friend. shockz, for being an excellent student and nagging me until you understood the WinZip tut Anvile, DarkMoon, Invoker, d4d0, ChibiHime, PhANt0m, the current and past N2C staff, you 0wnz ! all the people who help me, irl and virtally, ThE-SAiNT, i really appichiate your help.. thanks to all the newbies i ever met, they made me realise that you on your 0wn, and i started to be a teacher iNSiGHT, Embrace, Digital Reality ppl, new sk00l and 0ld sk00l, tnx all, without you i'd never made it in cracking... tnx to everyone who help newbies, love ya all and ofcourxe, who ever publish this tut, read this tut and learning from it... love ya, ParaBytes. Contact me : ~~~~~~~~~~~~ E-Mail : Lewsers@Hotmail.com IRC : EFNet - #New2Cracking Here ;p ParaBytes.